Avast WEBforum

Other => Viruses and worms => Topic started by: nitin1612 on October 12, 2008, 10:05:23 AM

Title: Malware/Rootkit - NTOS.exe
Post by: nitin1612 on October 12, 2008, 10:05:23 AM
Hi Guys,
Everytime I start my computer, avast detects NTOS.exe files as malware or rootkit and I delete the file. Next time when i boot my system it again comes up. Is there any way to get rid from this problem permanently? Appreciate ur help on this... thanks!
Title: Re: Malware/Rootkit - NTOS.exe
Post by: essexboy on October 12, 2008, 01:57:01 PM
For this little problem you will need a specialist tool as the replicator file is not being deleted.  I would recommend for starters that you use SDFix

 Download SDFix[/color] (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Title: Re: Malware/Rootkit - NTOS.exe
Post by: FreewheelinFrank on October 12, 2008, 02:47:32 PM
Try a boot time scan with avast! first: this is when avast! is able to remove rootkits.

Right click the avast! scanner screen (or click the tab at the top left) and select 'Schedule a boot time scan'. Reboot when requested.
Title: Re: Malware/Rootkit - NTOS.exe
Post by: polonus on October 12, 2008, 03:37:07 PM
Hi nitin1612,

Recognition of a NTOS.exe infection:

As soon as this Trojan horse has been activated, it creates the following mute, seeing to it that only one copy of the threat is actively running on the infected machine:


The Trojan then checks whether the following firewall programs are active on the infected machine:


Then the Trojan collects the following information on the infected computer:

• Version of Operational System OS?
• If Service Pack 2 has been installed?
• What language the system has running?

Then the Troajan copies itself to the following location and adds random data to the file to vary its file size:


The Trojan then creates the following folder with hidden system attributes:


The Trojan horse then creates the following files that are being initially used to gather information and secondly to save the encrypted configuration of the Trojan:

• %System%\wsnpoem\audio.dll
• %System%\wsnpoem\video.dll

Then the Trojan horse creates the following registry entries, that are being executed every time at at start-up:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"userinit" = "%System%\ntos.exe"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\"userinit" = "%System%\ntos.exe"

The Trojan also changes the following registry entrance to be executed every time Windows starts up:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe, %System%\ntos.exe"

Then it injects malicious code into the following running processes:


The Trojan horse is threatening towards all running process files, except the following process


The Trojan also creates a couple of the following mutexes to synchronize all active threats that are running under memory:

• __SYSTEM__23D80F10__
• __SYSTEM__45A2F601__
• __SYSTEM__7F4523E5__
• __SYSTEM__91C38905__

The injected code will try to prevent that the Trojan is deleted by blocking entrance to deleting all malicious files. The Trojan horse will regenerate all sub keys that are associated to malicious files that have been deleted.

Then the Trojan horse can create the following registry entries being infection markers:

HKEY_LOCAL_MACHINE\Software\microsoft\windows nt\currentversion\network\"UID" = "[COMPUTERNAME]_[UNIQUE_ID]"

HKEY_CURRENT_USER\Software\microsoft\windows\currentversion\explorer\"{6780A29E-6A18-0C70-1DFF-1610DDE00108}" = "[HEXADECIMAL VALUE]"

HKEY_CURRENT_USER\Software\microsoft\windows\currentversion\explorer\"{F710FA10-2031-3106-8872-93A2B5C5C620}" = "[HEXADECIMAL VALUE]"

The Trojan deleted all cookies in the URL of Internet Explorer making that users have to write their user name and password every time again whenever they log in to their bank account website.z

The Trojaanse saves info to steal passwords from the infected machine.

Then it hijacks following system functions in NTDLL.DLL using rootkit techniques to enable malicious code is injected into every process:

• NtCreateThread
• LdrLoadDll
• LdrGetProcedureAddress

The Trojan tries to hijack the following functions from the WININET.DLL libarary to check network functions and to steal confidential private data:

• HttpSendRequestW
• HttpSendRequestA
• HttpSendRequestExW
• HttpSendRequestExA
• InternetReadFile
• InternetReadFileExW
• InternetReadFileExA
• InternetQueryDataAvailable
• InternetCloseHandle

The Trojan tries to steal the following functions of WS2_32.DLL and WSOCK32.DLL libraries to check confidential net info:

• send
• sendto
• closesocket
• WSASend
• WSASendTo

The Trojan also tries to hijack the following functions of the USER32.DLL library with similar aims:

• GetMessageW
• GetMessageA
• PeekMessageW
• PeekMessageA
• GetClipboardData

The Trojan can change to change the contents of the following host file:


The Trojan can execute the following activities on an infected machine:

• Hijacking network traffic
• Keylogging
• Stealing clipboard information
• Saving screenshots of present desktop
• Re-directing all traffic

The Trojan horse has been configured to look for specific keywords that are being typed inside URL and HTTP packets:

• *Tan*
• *Schmetterling*
• *berweisung*
• *Amount*
• *tanentry*
• *citibank.de/*
• I2=*&H0=DT
• *banking.*/cgi/ueber*.cgi*
• ###=######&tid=*
• [https://]onlineeast.bankofamerica.com/cgi-bin/ias/*/GotoW[REMOVED]
• CustomerServiceMenuEntryPoint?custAction=75
• bankofamerica.com/cgi-bin/ias/*/GotoWelcome
• *

Good luck cleansing this "rotter" from your computer,